Skip to content

Installing CSI driver

Installing CSI driver

Learn how to install cert-manager and the CSI driver component using Helm or the Venafi CLI tool.

Prerequisites

  • If you want to install the CSI driver using Helm, you'll need the following:

    • Your cluster must be running Kubernetes 1.19 or later.
    • You must have permission to install Helm charts on your Kubernetes cluster.
    • You must have kubectl installed on your system.
    • If using Helm, you must have Helm 3.8.0 or later installed on your system.

Step 1: Install cert-manager and CSI driver

The CSI driver component requires cert-manager to be installed.

You can install cert-manager and the CSI driver component in two ways:

  • Using the Venafi CLI tool
  • Using Helm

To install cert-manager and CSI driver using the Venafi CLI tool

The Venafi CLI tool offers the quickest and easiest method for installing CSI driver.

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
    
  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install the default versions of both cert-manager and CSI driver:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us --cert-manager --csi-driver > helmfile.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --cert-manager --csi-driver > helmfile.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
      --region custom \
      --cert-manager \
      --cert-manager-custom-chart-repository oci://myregistry.example.com/charts/cert-manager \
      --cert-manager-custom-image-registry myregistry.example.com \
      --csi-driver-custom-chart-repository  oci://myregistry.example.com/charts/cert-manager-csi-driver \
      --csi-driver-custom-image-registry myregistry.example.com \
      --csi-driver > helmfile.yaml
    
  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file helmfile.yaml
    

    For more information and options on using the Venafi CLI tool to install CSI driver, see the Venafi CLI tool reference page.

    Tip

    To find out the current default version of CSI driver (and all the Venafi Kubernetes components you can install with the Venafi CLI tool), use the venctl components kubernetes manifest print-versions command.

To install cert-manager and CSI driver using Helm

  1. Configure access to the Venafi OCI registry. Follow the instructions in Configuring access to the Venafi OCI Registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

    The sample file below, for example, assumes you created the following Kubernetes Secret:

    • namespace: venafi
    • name: venafi-image-pull-secret
  2. To install cert-manager in the venafi namespace, and configure it to use the pull-secret, create a file cert-manager.values.yaml containing the following content.

    A sample cert-manager.values.yaml for users of the US region OCI registry:

    cert-manager.values.yaml
    global:
      imagePullSecrets:
        - name: venafi-image-pull-secret
    
    crds.enabled: true
    
    image:
      repository: private-registry.venafi.cloud/cert-manager/cert-manager-controller
    
    acmesolver:
      image:
        repository: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver
    
    webhook:
      image:
        repository: private-registry.venafi.cloud/cert-manager/cert-manager-webhook
    
    cainjector:
      image:
        repository: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector
    
    startupapicheck:
      image:
        repository: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck
    

    Use the helm upgrade command to install cert-manager:

    helm upgrade -i -n venafi cert-manager oci://registry.venafi.cloud/charts/cert-manager \
      --set extraArgs={--controllers='*\,-certificaterequests-approver'} \
      --set crds.enabled=true \
      --values cert-manager.values.yaml \
      --create-namespace \
      --version v1.15.0
    

    A sample cert-manager.values.yaml for users of the EU region OCI registry:

    # cert-manager.values.yaml
    global:
      imagePullSecrets:
        - name: venafi-image-pull-secret
    
    crds.enabled: true
    
    image:
      repository: private-registry.venafi.eu/cert-manager/cert-manager-controller
    
    acmesolver:
      image:
        repository: private-registry.venafi.eu/cert-manager-acmesolver
    
    webhook:
      image:
        repository: private-registry.venafi.eu/cert-manager/cert-manager-webhook
    
    cainjector:
      image:
        repository: private-registry.venafi.eu/cert-manager/cert-manager-cainjector
    
    startupapicheck:
      image:
        repository: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck
    

    Use the helm upgrade command to install cert-manager:

    helm upgrade -i -n venafi cert-manager oci://registry.venafi.cloud/charts/cert-manager \
      --set extraArgs={--controllers='*\,-certificaterequests-approver'} \
      --set crds.enabled=true \
      --values cert-manager.values.yaml \
      --create-namespace \
      --version v1.15.0
    

    A sample cert-manager.values.yaml for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    # cert-manager.values.yaml
    global:
      imagePullSecrets:
        - name: venafi-image-pull-secret
    
    crds.enabled: true
    
    image:
      repository: myregistry.example.com/cert-manager/cert-manager-controller
    
    acmesolver:
      image:
        repository: myregistry.example.com/cert-manager-acmesolver
    
    webhook:
      image:
        repository: myregistry.example.com/cert-manager/cert-manager-webhook
    
    cainjector:
      image:
        repository: myregistry.example.com/cert-manager/cert-manager-cainjector
    
    startupapicheck:
      image:
        repository: myregistry.example.com/cert-manager/cert-manager-startupapicheck
    

    Use the helm upgrade command to install cert-manager:

    helm upgrade -i -n venafi cert-manager oci://myregistry.example.com/charts/cert-manager \
      --set extraArgs={--controllers='*\,-certificaterequests-approver'} \
      --set crds.enabled=true \
      --values cert-manager.values.yaml \
      --create-namespace \
      --version v1.15.0
    

    Note

    As of cert-manager v1.15.0, the installCRDs value is deprecated in favor of crds.enabled.

  3. Use the Helm upgrade command to install the CSI driver:

    A sample command for users of the US region OCI registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver --wait \
      --set image.repository=private-registry.venafi.cloud/csi-driver/cert-manager-csi-driver \
      --set livenessProbeImage.repository=private-registry.venafi.cloud/csi-driver/livenessprobe \
      --set nodeDriverRegistrarImage.repository=private-registry.venafi.cloud/csi-driver/csi-node-driver-registrar \
      --version v0.8.1
    

    A sample command for users of the EU region OCI registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://private-registry.venafi.eu/charts/cert-manager-csi-driver --wait \
      --set image.repository=private-registry.venafi.eu/csi-driver/cert-manager-csi-driver \
      --set livenessProbeImage.repository=private-registry.venafi.eu/csi-driver/livenessprobe \
      --set nodeDriverRegistrarImage.repository=private-registry.venafi.eu/csi-driver/csi-node-driver-registrar \
      --version v0.8.1
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    helm upgrade -i -n venafi cert-manager-csi-driver oci://myregistry.example.com/charts/cert-manager-csi-driver --wait \
      --set image.repository=myrepository.example.com/csi-driver/cert-manager-csi-driver \
      --set livenessProbeImage.repository=pmyrepository.example.com/csi-driver/livenessprobe \
      --set nodeDriverRegistrarImage.repository=pmyrepository.example.com/csi-driver/csi-node-driver-registrar \
      --version v0.8.1
    

Step 2: Verify the installation

You can verify the installation has completed correctly by checking the presence of the CSIDriver resource as well as a CSINode resource present for each node, referencing csi.cert-manager.io:

$ kubectl get csidrivers
NAME                     CREATED AT
csi.cert-manager.io   2019-09-06T16:55:19Z

$ kubectl get csinodes -o yaml
apiVersion: v1
items:
- apiVersion: storage.k8s.io/v1beta1
  kind: CSINode
  metadata:
    name: kind-control-plane
    ownerReferences:
    - apiVersion: v1
      kind: Node
      name: kind-control-plane
...
  spec:
    drivers:
    - name: csi.cert-manager.io
      nodeID: kind-control-plane
      topologyKeys: null
...